It’s frustrating that in 2016 we still have to be careful when opening emails. For all of our advances in technology, the scammers have advanced too, and they’re making a nice sum of money from ‘ransomware’ infections. Threats like Cryptolocker are prevalent among home users who wonder what package delivery they missed, and whose anti-virus software is just not up to the task of detecting and removing these kinds of programs before it’s too late.
Cryptolocker – What to Consider
If you’re an Enterprise systems administrator or in a corporate IT security role, you should know what steps have been taken within your company to minimise the threat of ransomware. If you haven’t done anything specifically to address this risk, don’t leave it until it’s too late. Mitigation steps range from blocking .exe and .zip files in emails, Group Policy settings that block installation files launching from App Data or Local App Data folders or third party software or firewall solutions. Third Tier Solutions have packaged a great ransomware prevention kit and are asking for a donation, which will support women that want to enter IT. http://www.thirdtier.net/ransomware-prevention-kit/
Unfortunately, small and medium businesses are being hit the hardest by ransomware scammers. They often don’t have comprehensive, Enterprise-grade security tools or controls in place. Many ‘micro businesses’ (with 5 staff or less) have no better protection than home users. And the impact of a ransomware infection is huge, with productivity downtime directly resulting in lost sales or inability to service customers.
Another trait of many SMBs is a prevalence of Cloud file storage solutions. Synchronizing files between the local machine and the Cloud is turned on by default, leading some organizations to believe that they are covered by their ‘Cloud backup’.
After hearing horror stories of damaged, encrypted files can lead an SMB to look at alternative Cloud solutions, without understanding the infection mechanism. But if your Cloud file storage syncs changes between local files and your Cloud files, it’s not going to matter if you use Box, DropBox, Google Drive or OneDrive – you’re still going to overwrite your Cloud files and potentially sync these changes to other computers.
What to Do
Your choice of Cloud provider will make a difference when it comes to their recovery process for a ransomware attack such as cryptolocker.
At a minimum, you should easily be able to recover a previous version of a single file, after you’ve made sure your computer has been cleaned of the infection program. Once you start talking about multiple files, folders and subfolders, a complete ‘rollback’ of your account to a previous point in time will be a more effective solution. The frequency that those recovery point snapshots are taken is going to determine how much real work you may lose.
You also need to be confident that a support request for a rollback/restore is going to be actioned in a timely manner. Would you be happy with “fill in a form and we will get back to you”?
Finally, make sure you review ALL of the places where you store or sync files, as some free services only give you a 30 day window to access your recovery points or even a 3 day window to lodge a request.
Ultimately, we’d like to see a detection mechanism in place where a large number of upload writes to existing Cloud files triggers a temporary suspension of the sync (until you can confirm that it’s a valid upload).
While that doesn’t exist, small businesses need to be crystal clear about what protection the Cloud offers them and what it doesn’t. When you get what you pay for, it’s a stark reminder that the support offered by free, consumer-grade Cloud solutions may not meet the needs of a small business when things go wrong such as a ransomware attack like cryptolocker.